Wednesday, 27 June 2012

vBulletin 4.2 persistent XSS

Because my bug leaked somehow, here you have full detailed info:

[ TITLE ....... ][ Persistent Cross-Site Scripting in vBulletin 4.2
[ DATE ........ ][ 15.06.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.vbulletin.com
[ VERSION ..... ][ 4.2
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [
[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...
[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)
[--------------------------------------------[
[ 2. What is the type of vulnerability?
This is persistent cross-site scripting attack.
Vulnerability can be exploited by normal ("registered") user.
[--------------------------------------------[
[ 3. Where is bug :)
To exploit this vulnerability we need (to create/register) account of normal user:
3.1. Go to Your http://vBullet.in/forum/ and log in as a "normal user". (screen01)
3.2. After login in, we are redirecting to /activity.php (This page is called 'Activity Stream').
3.3. Now (as a registered user), we need to go to our /forum/calendar.php.
3.4. We are now at "HOME-> Calendar ->Default Calendar". Now (on right) we must click
to 'Add new event'. (screen02)
3.5. Vulnerable form here is 'Title'. To check it, type as a title something like:
test-title'><h1>Hi<br>Noam</h1><script>alert(123);</script> (screen03).
3.6. And now. Your 'new event' is added 'as a clear text' - by 'clear text' I mean
'text only, without XSS'. But...
3.7. Logout now, and log-in again. Your added XSS-code, will be presented at
first page (activity.php) for user who will log in.
If You want re-test this bug, You should create 2 users: registered1 and registered2.
Add payload ('add new event') as a registered1, and log out. Now log-in as a registered2,
and after login-page, there should be trigerred XSS.
[--------------------------------------------[
[ 4. More...
- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Pentests - mail me.
]
[ Best regards
[